Activate Ansible environment
pyenv activate ansible;
export ANSIBLE_CONFIG=./ansible.cfg;
Load the AWS profile to use for the dynamic inventory
export AWS_PROFILE=conatest
CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates. It requires Go 1.12+ to build. ... CFSSL consists of:
- a set of packages useful for building custom TLS PKI tools
- the
cfssl
program, which is the canonical command line utility using the CFSSL packages.- the
multirootca
program, which is a certificate authority server that can use multiple signing keys.- the
mkbundle
program is used to build certificate pool bundles.- the
cfssljson
program, which takes the JSON output from thecfssl
andmultirootca
programs and writes certificates, keys, CSRs, and bundles to disk.
Mac
brew install cfssl
Linux
wget -q --show-progress --https-only --timestamping \
https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64
sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
We need to generate:
- Certificate Authority
ca-config.json
ca-csr.json
ca-key.pem
ca.pem
- Client and Server Certificates
admin-csr.json
admin-key.pem
admin.pem
- The Kubelet Client Certificates
{{ private_dns_name }}-csr.json
{{ private_dns_name }}-key.pem
{{ private_dns_name }}.pem
- The Controller Manager Client Certificate
kube-controller-manager-csr.json
kube-controller-manager-key.pem
kube-controller-manager.pem
- The Kube Proxy Client Certificate
kube-proxy-csr.json
kube-proxy-key.pem
kube-proxy.pem
- The Scheduler Client Certificate
kube-scheduler-csr.json
kube-scheduler-key.pem
kube-scheduler.pem
- The Kubernetes API Server Certificate
kubernetes-csr.json
kubernetes-key.pem
kubernetes.pem
A digital certificate is a form of identification, that provides information about the identity of an entity.
It is issued by a CA, or Certification Authority.
PKI consist of protocols, standards and services, that allows users to authenticate each other using digital certificates that are issued by a CA. The X.509, PKI X.509 and Public Key Cryptography Standards are the building blocks of a PKI System.
- Generate a Key Pair
- User A requests the certificate of the CA.
- CA responds with its CA certificate including its Public Key.
- After gathering information, User A requests the certificat which has User-A's identity and Public Key.
- The CA verifies the identity of User A.
- The CA issues a certificate for User A.
TLS, based on SSL, provides data encryption, data integrity, and authentication.
TLS allows to send messages that can be changed, and that can't be read by third parties. To do this, we need to encrypt and sign the message. Both of this processes requires keys.